Installation Guide

Shibboleth Service Provider (SP) - Installation Guide

For the Shibboleth SP version 2.6, INFED recommends relying on an enterprise-grade Linux distribution with long term support: specifically, either Ubuntu Server LTS or Red Hat Enterprise Linux / CentOS.

As per above information, the sections below will configure the SP with the following parameters:

  • the name of the Service Provider is yourdomain.org
  • the SP entityID https://yourdomain.org/shibboleth
  • Federation metadata available from http:// parichay.inflibnet.ac.in/metadata/infed.xml and https://parichay.inflibnet.ac.in/metadata/interfederation_sp.xml

1. System requirements

For the Shibboleth IdP 3, we recommend a system with at least 2 GB of memory (4 GB needed if you would like to avail the facility of interfederation services). The below basic tools also mandatory:

curl
It will help us to download software and configuration files.
OpenSSL
Package: openssl, the command-line tool will be used to deal with server certificates.
tar and unzip
Used to untar/unzip the archives (and also useful for listing contents of .war/.jar files).

2. Software Requirement

The Shibboleth IdP is developed under Java environment and therefore requires a Servlet container. Our recommended setup consists of the following components:

  • Apache HTTP Server 2.4 or higher
  • Apache Tomcat 8 for the Java Servlet container

3. shibboleth Repository

The Shibboleth project operates its own repository that provides the official Shibboleth Service Provider binaries and its dependencies for RPM-based Linux distributions. This repository contains always up-to-date version of the Shibboleth Service Provider. Therefore, it is recommended to prefer this repository and its packages over packages that may be provided by the OS distribution.

For Centos 5.x:

sudo curl -o /etc/yum.repos.d/security:shibboleth.repo  http://download.opensuse.org/repositories/security:/shibboleth/CentOS_5/security:shibboleth.repo

For Centos 6.x:

ssudo curl -o /etc/yum.repos.d/security:shibboleth.repo  http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/security:shibboleth.repo

4. Shibboleth SP installation

Install the Service Provider by:

For 32-bit OS:

sudo yum install shibboleth

For 64-bit OS:

sudo yum install shibboleth.x86_64

If asked to confirm whether you really want to install Shibboleth and all dependencies, answer with 'Y' for yes.

After installation of the package, you need to start the shibd daemon:

sudo service shibd start

Shibboleth does not support the SP in conjunction with SELinux. To disable SELinux, configure SELINUX=disabled in /etc/selinux/config and reboot the system. If there was an older version of a Service Provider already installed on the system, you might be asked whether to keep the existing configuration files or overwrite them with the package default files. The old configuration files should be kept. You can continue to use the old files in most cases. Generally, it is however recommended to perform a clean configuration as is described in the configuration guide mentioned below.

export http_proxy=proxy.example.org:8080

5. Quick Test

The Service Provider should now be installed on the system contauns following directories:

/etc/shibboleth
Configuration directory of Shibboleth. The main configuration file is shibboleth2.xml.
/var/log/shibboleth
Log directory where logs are written to. The most important log file is the shibd.log file that should be consulted in case of problems.
/run/shibboleth
Runtime directory where process ID and socket files are stored.
/var/cache/shibboleth
Cache directory where metadata backup and CRL files are stored.
/etc/init.d
Init script directory where the startup script for the shibd daemon is stored.

5.1.Shibboleth Configuration Check

In the command line, execute the following command to see whether the Shibboleth Service Provider can load the default configuration:
sudo shibd -t
Important is that the last line of the output is:
overall configuration is loadable, check console for non-fatal problems
If there are any ERROR log entries, it is strongly recommended to have a look at the problem.
Messages with log level WARN are generally not problematic but it is recommended to examine the causes of these warning messages.

5.2. Apache Configuration Check

Also test the Apache configuration with the command: or
sudo apachectl configtest
The output of this command should be:
Syntax OK

5.3. mod_shib Test

(Re-) Start the web server and then access the URL: https:///Shibboleth.sso/Session.

The web server (or Shibboleth module respectively) should return a page that says:
A valid session was not found.
This message shows that the Shibboleth module is loaded by the webserver and is communicating with the shibd process.

6. SP Registration with INFED

You are requested to send your metadata file along with below details which is available in /opt/shibboleth-idp/metadata directory to https://parichay.inflibnet.ac.in/rr3/providers/sp_registration

1. About Service Provider , 2. Administrative Contact and 3. Technical Contact.

After completion of this step, the INFED team will check the information you provided and approve your request (or contact you in case the data need to be modified).